Jessica O'ConnorMost UK organisations are not ready for the Data Use and Access Act (DUAA), with widespread gaps in staff training leaving firms vulnerable to compliance failures, according to research by compliance software and training provider VinciWorks.
The survey of 373 compliance professionals found that just 1.6% of organisations considered themselves fully prepared for the new law, which will replace parts of the UK GDPR in 2025.
Nearly three-quarters (77%) admitted they are either not prepared, unsure, or only beginning preparations.
The DUAA introduces stricter rules on data access, breach reporting, and privacy governance.
Almost half (47%) of respondents cited updating governance, training, and vendor management as their main difficulty, while 39% said staff training will be their top priority in the next six months.
The report also found that human error remains the biggest risk to data protection, identified by 56% of respondents, far outpacing phishing or cyberattacks (12%).
Legal and financial services organisations were found to be the least prepared, with fewer than one in twenty ready for the DUAA, while the education sector showed high levels of uncertainty, with 30% saying they were “not sure” how to assess their readiness.
Nick Henderson-Mayo, head of compliance at VinciWorks, said: “Most cyber compliance failures start with human error, and our research shows that awareness is the missing piece, not technology.
“Organisations can’t rely on IT systems alone; they need to build a culture of understanding and accountability across every team.
“The organisations investing in better training and awareness throughout the employee lifecycle will be the ones who avoid fines, and build lasting trust with clients and regulators.”
